Hi,

The Harvest v1.3 documentation on page 18 has steps to create ssl certs and install to the Harvest host and the cluster.  Did you use these?

In the poller entry you also need something like to tell harvest to use cert (not the default password) auth and provide the files (that are in the ./cert subdir):

auth_type      = ssl_cert
ssl_cert = 10yr.pem
ssl_key = 10yr.key

Cheers,

Chris Madden

Solution Architect - 3rd Platform - Systems Engineering NetApp EMEA (and author of Harvest)

Blog: It all begins with data

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both!

Hello Chris,

Thanks for the quick response.

I followewd the ssl_cert part in the manual

So created 2 files in cert/

-rw-r--r--. 1 root root 916 Sep 27 12:10 netapp-harvest.key
-rw-r--r--. 1 root root 1078 Sep 27 12:10 netapp-harvest.pem

And the part in netapp-harvest.conf is:

## If using ssl_cert (and not password auth)
## uncomment and populate next three lines
auth_type = ssl_cert
# ssl_cert = INSERT_PEM_FILE_NAME_HERE
# ssl_key = INSERT_KEY_FILE_NAME_HERE
ssl_cert = netapp-harvest.pem
ssl_key = netapp-harvest.key

[nlnaf100]
hostname = nlnaf100
group = nl

Still getting:

[2017-09-27 18:51:55] [WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: Authorization failed
[2017-09-27 18:51:55] [WARNING] [main] system-info update failed; will try again in 10 seconds.

Hi @maartendeboer

Your config syntax looks ok.  I would start try the instructions fresh with new cert files, and use a new username.  I suspect either re-using the username is causing an issue or somewhere in the steps there was a small mistake.  Retrying from scratch is my suggestion.

Cheers,

Chris Madden

Solution Architect - 3rd Platform - Systems Engineering NetApp EMEA (and author of Harvest)

Blog: It all begins with data

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both!

Hello Chris,

I followed the steps from page 18 from the NH Admin Guide.

- Emptied netapp-harvest/cert/

- Created new CERT-files : # openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout 10yr.key -out 10yr.pem

- In the CERT-dir:

ls -l
total 12
-rw-r--r--. 1 root root 916 Sep 28 11:17 10yr.key
-rw-r--r--. 1 root root 1078 Sep 28 11:17 10yr.pem
-rw-r--r--. 1 root root 184 Nov 10 2016 README.txt

- Entered ALL the info (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) from 10yr.pem

::> security certificate install -type client-ca -vserver <clustername>

Answer: You should keep a copy of the CA-signed digital certificate for future reference.

- Enabling:

::> security ssl modify -client-enabled true -vserver <clustername>

- Creating (new) user:

::> security login create -user-or-group-name netapp-harvest-2 -application ontapi -role netapp-harvest-role -authmethod cert

Modify config-file:

# vi netapp-harvest.conf

username = netapp-harvest-2
auth_type = ssl_cert
ssl_cert = 10yr.pem
ssl_key = 10yr.key

Resulting in log-file:

[2017-09-28 11:26:39] [NORMAL ] WORKER STARTED [Version: 1.3] [Conf: netapp-harvest.conf] [Poller: <cluster>]
[2017-09-28 11:26:39] [NORMAL ] [main] Poller will monitor a [FILER] at [<cluster>:443]
[2017-09-28 11:26:39] [NORMAL ] [main] Poller will use [ssl_cert] authentication with ssl_cert [10yr.pem] and ssl_key [10yr.key]
[2017-09-28 11:26:39] [WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: Authorization failed
[2017-09-28 11:26:39] [WARNING] [main] system-info update failed; will try again in 10 seconds.

Comes my question.

How does netapp-harvest connects to the cluster?

I've configured in conf-file:

username = netapp-harvest-2

And created at the cluster the user "netapp-harvest-2"

But  I thought it would NOT use username (& password)

Or should I still create a user WITH password like:

security login create -user-or-group-name netapp-harvest-2 -application ontapi -role netapp-harvest-role -authmethod password

This is NOT clear to me.

I've made a process-trace (strace) of it. But thats not usefull to add it to this community.

Hope yoiu can help me how to solve "Authorization failed".

Kind Regards, Maarten de Boer

Trying more;

Switched to username + password (at cDOT).

Do I get in the log-file:

[2017-09-28 13:38:00] [NORMAL ] WORKER STARTED [Version: 1.3] [Conf: netapp-harvest.conf] [Poller: <clustername>]
[2017-09-28 13:38:00] [NORMAL ] [main] Poller will monitor a [FILER] at [nlnaf107:443]
[2017-09-28 13:38:00] [NORMAL ] [main] Poller will use [password] authentication with username [netapp-harvest-2] and password [**********]
[2017-09-28 13:38:00] [WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: in Zapi::invoke failed to connect SSL ; Recommend to verify TLS is enabled (7-mode: options tls.enable) and/or setup ssl again (7-mode: secureadmin setup ssl)
[2017-09-28 13:38:00] [WARNING] [main] system-info update failed; will try again in 10 seconds.

Does Netapp-Harvest NOT recognize cDOT?

Because its complaining about TLS (at 7-mode)

KR, Maarten de Boer

Hi @maartendeboer

Did you set the common name on the certificate to netapp-harvest-2 when you created it?

When using ssl_cert auth your config file would be something like:

auth_type = ssl_cert
ssl_cert = 10yr.pem
ssl_key = 10yr.key

No username = value is needed in the harvest conf file.

On the cluster you do not need to configure an -authmethod password either.

I just verified by creating a netapp-harvest-2 user on my cluster with the instructions from the install and admin guide and it worked.  Cluster is running 9.1 (but I have another running 8.2 with the same config).

Cheers,

Chris

Hello Chris,

No I did not.

I used the nonFQHN servername of the netapp-harvest-server

Common Name (eg, your name or your server's hostname) []:<nh-servername>

But now I, might, understand how the "connection" with CERT & username is made.

Keep you posted.

KR, Maarten de Boer